By Ian Roncoroni | Co-Founder and COO of NextCaller
The old adage states that the only two certainties in life are death and taxes – but for banks and other financial institutions a third certainty exists: fraud.
In 2015, one international crime organization was able to impersonate bank officials at over 100 banks following a malware attack and bilk a number of financial institutions out of over $900 million. A similar scam in Brazil netted $3.75 billion. While the potential financial losses to banks are enormous, the erosion of customer trust and bank integrity that fraud possesses is even larger.
This tax season has provided a very clear, albeit dreary, window into the evolution of fraud as scammers have increased both the frequency and methods used to target individuals and businesses. Here’s a look at what financial institutions can expect in 2016 as this nefarious landscape develops.
1. The call center will be the next fraud frontier
While cybercrime and DDOS attacks may have garnered headlines in 2015, 2016/2017 will see the call center as the point of attack for fraudsters and their underhanded schemes.
It is estimated that 90% of fraudulent scams aimed at enterprise businesses have at least one touch point with the call center, and the rate of fraudulent calls in the United States is estimated to be rising at a rate of 29% per year. According to Fraud.org, for the third year in a row, the telephone was the most frequent way fraudsters reached victims (46%) — considerably more common than Web (32%) and email (11%).
Today, as has been seen with the influx of IRS tax scams, a significant portion of the fraudulent calls utilize a technique called “spoofing”. Just like an individual who is about to rob a bank would wear a disguise, these criminals disguise (or “spoof”) their number to appear as if it has originated from somewhere else on a Caller ID system. This allows fraudsters to trick agents into believing that they are a legitimate customer, or worse, can allow them to be fast-tracked in the IVR towards an authentication process that requires no human interaction.
2. Financial institutions will self enforce
In anticipation, or as a direct result of painful experience, some banks are already moving towards self-regulation to protect themselves from fraudulent schemes. The China Banking Regulatory Commission, after a rash of phone fraud targeting banks and its customers, placed a limit on the number of accounts that can be opened by an individual and restricted the ability of customers to open accounts for third parties.
Currently, the United States permits bank customers to open as many accounts as the consumer sees fit – expect this policy to be re-examined as United States banks increasingly encounter the type of brute force identity theft attacks and social engineering that China had to navigate prior to their decision to limit accounts.
Furthermore, the proliferation of Fintech startups, which have increasingly taken on the HR and payroll responsibilities for businesses, has increased the number of access points for hackers and fraudsters to exploit security gaps and commit identity theft. 2016 will be a pivotal year for financial institutions in the fraud space, as banks are tasked with getting ahead of the fraudsters and hackers who have used phone fraud, phishing, SMiShing, and social engineering to bypass security protocols at firms such as Snapchat, SEFCU, and Seagate. Expect more banks to move towards creating self-imposed restrictions and tightening the way they work with service providers to fill any security gaps that exist.
3. Lawmakers will be forced to act
Just as EMV chip adoption unintentionally pushed fraudsters and criminals towards cybercrime and telephone scams, the changing legislative landscape in the United States will direct a surge of attacks on enterprise businesses and financial institutions.
Senator Chuck Schumer (D-NY) has already come out strongly against call spoofing, stating that “We need to swat down this disturbing trend before it is too late and someone is seriously hurt.” Senators Deb Fischer (R-NE) and Bill Nelson (D-FL) have proposed the Spoofing Prevention Act of 2016, which aims to increase government oversight over the role that the FCC and FTC play in stopping spoofing and educating consumers about how to protect themselves from this nefarious practice.
While taking a strong stand against call spoofing, these legal maneuverings only apply to consumer-facing spoofing, leaving businesses and financial institutions without guidance or protections. Naturally, as more individuals educate and protect themselves against these scams, and applications are released to arm consumers against them, fraudsters will increasingly turn their eyes towards enterprise businesses and financial institutions. But since the current state of fraud prevention is detection after-the-fact, banks may find themselves shopping for viable spoof-prevention solutions after irreparable damage has already been done to their customers’ faith in the bank’s security protocols.
4. Customers will be targeted where they least expect
The massive increase in “Card-Not-Present” scams — where fraudsters use phishing attacks to ascertain information on a valid card holder that allows them to access their credit or debit card will likely continue. However, where these scams have traditionally relied on phone and email, wherein the perpetrator places a call that appears to come from a supervisor and requests information like W-2s, or sends an email containing a malicious link that gives them similar access, 2016 will see fraudsters using channels that customers are less likely to be suspicious of.
SMiShing scams utilize the same logic, but target customers through direct text messages. While we’ve long been conditioned to view emails with suspicion (think of the famed “Nigerian Prince” scams), and are becoming more aware of phone scams, many don’t have that same discerning eye for texts. At present, 95% of banks have the option of contacting customers via text regarding their account, so it is not surprising that customers view any text from their bank as official communication. Under SMiShing scams, a text message, purporting to be from the customer’s bank, either includes a malicious link or is written in such a way that the customer is compelled to call a fraudulent number to turn over personal information.
5. The industry will search for the “Silver Bullet”
Major strides have been made in the areas of predictive analytics (how a customer should behave) and biometric safeguards, and prepared firms will be rolling out initiatives using one or both of these security defenses in the coming year. However, as both of these popular fraud prevention methods are based on probability and statistics, both are susceptible to gaming by clever hackers and fraudsters, and sometimes do not even identify the fraud until after it has been committed. The reality is, any time you build a better mousetrap, all you get is smarter mice.
While there may never be a “silver bullet” for fraud, when it comes to preventing attacks in the coming months and years, the institutions who choose to invest in resources and technology that allows them to remain on guard will undoubtedly be better prepared to spot attacks before they are able to wreak havoc on their business and customers.